Critical Threat Research : The Iranian Cyber War Intensifies! 
Comprehensive Threat Exposure Management Platform
The LeakNet ransomware group has significantly expanded its initial access capabilities by adopting ClickFix social engineering lures delivered through compromised legitimate websites, representing a strategic shift away from its previous reliance on initial access brokers (IABs) for stolen credentials. This low-cost, high-scale infection strategy allows LeakNet to independently compromise victims across multiple industries and geographic regions, reducing operational costs while dramatically increasing the potential victim pool. The ransomware group deploys a sophisticated Deno-based, in-memory loader specifically designed to evade detection by most security tools, demonstrating advanced technical capabilities combined with opportunistic mass-compromise tactics.
LeakNet ransomware first emerged in November 2024 and has since targeted organizations across Switzerland, Austria, United States, Belgium, Dominican Republic, Cyprus, Taiwan, Mauritius, and Canada on Windows platforms. The threat actor targets diverse industries including charitable organizations, manufacturing, healthcare, financial services, transportation, business services and consulting, insurance, sports and gaming, education, energy, architectural services, engineering services, and logistics sectors, demonstrating an indiscriminate approach focused on volume rather than specific high-value targets.
The ClickFix social engineering technique appears on compromised but otherwise legitimate websites, where visitors encounter fake verification pages that instruct users to run commands on their systems, unknowingly triggering the ransomware infection chain. This drive-by compromise approach allows LeakNet to scale operations dramatically, reduce costs associated with purchasing initial access from criminal brokers, and infect any user who happens to visit the compromised site, regardless of their industry or organizational value.
LeakNet ransomware group, first observed in November 2024, has fundamentally shifted its initial access strategy in a manner that significantly impacts the threat landscape. Instead of relying on third-party initial access brokers who sell stolen credentials and network access on underground forums, LeakNet now employs ClickFix social engineering techniques deployed through compromised legitimate websites. This strategic shift represents a move toward operational independence and cost reduction while simultaneously enabling massive scaling of potential victim reach.
The ClickFix technique appears on compromised but otherwise legitimate websites, where unsuspecting visitors are presented with fake verification pages designed to appear as routine security checks or system updates. These deceptive pages instruct users to run specific commands on their Windows systems, often disguised as troubleshooting steps or verification procedures. Users who follow these instructions unknowingly trigger the ransomware attack chain, initiating the LeakNet infection process. This opportunistic approach allows LeakNet to scale operations dramatically, reduce dependency on external criminal service providers, and infect any user who happens to visit the compromised site, regardless of their industry sector, organizational size, or perceived value as a ransomware target.
After successful execution of the ClickFix commands, a malicious payload installs a sophisticated second-stage loader built on the Deno runtime environment, a legitimate and increasingly popular JavaScript and TypeScript runtime for developers. LeakNet strategically exploits the inherent trust associated with legitimate development tools by installing the digitally signed Deno application and then running hidden malicious code through the trusted Deno process.
The malicious script executed through Deno is encoded and never stored as a normal file on the victim’s filesystem, making traditional file-based detection methods ineffective. This fileless, in-memory execution technique significantly complicates detection by most security tools that rely on scanning files written to disk. The malicious process is launched through scripts, then immediately begins gathering comprehensive system details including username, device name, memory configuration, and operating system version. This reconnaissance data is used to create a unique victim identifier before establishing initial communications with attacker-controlled command-and-control servers, retrieving further instructions, and maintaining ongoing bidirectional communication channels.
Once the LeakNet malware successfully establishes initial access, it follows a consistent and well-tested attack pattern designed to maintain persistence and evade detection. The malware employs DLL side-loading techniques, placing a malicious DLL file alongside a legitimate program executable so that trusted Windows processes unknowingly load and execute the malicious code. Specifically, LeakNet places the malicious jli.dll file in the C:\ProgramData\USOShared directory, a location that mimics legitimate Windows Update directories to avoid suspicion.
When legitimate Java-related processes attempt to load the jli.dll library, they instead load the malicious version from the non-standard USOShared directory, causing trusted and signed processes to execute attacker-controlled code. This helps the malicious activity blend seamlessly into normal system behavior, avoiding behavioral detection mechanisms that might flag obviously suspicious processes. The malware then establishes command-and-control communications using predictable network patterns, which paradoxically creates a potential detection opportunity despite the malware’s sophisticated evasion techniques.
Before attempting to spread laterally across the network, LeakNet performs credential enumeration operations to identify accessible accounts and services. The malware uses the built-in Windows “klist” command via “cmd.exe /c klist” to enumerate active Kerberos authentication credentials present on the compromised system, identifying domain accounts and service tickets that could facilitate lateral movement to additional systems.
For lateral movement across the victim network, LeakNet relies on standard administrative tools that are present on most Windows enterprise networks, specifically leveraging PsExec to execute commands remotely on other systems using stolen credentials. This living-off-the-land approach using legitimate system administration tools helps the ransomware activity blend with normal IT operations, making detection significantly more challenging.
Stolen data from compromised systems is staged locally, compressed into archives, and then transferred using cloud storage services, particularly Amazon S3 buckets. By leveraging legitimate cloud infrastructure for data exfiltration, LeakNet makes the malicious traffic appear as normal business-related cloud storage activity, evading network security controls that might otherwise flag suspicious outbound data transfers. Each step of the attack chain relies heavily on trusted tools, signed applications, and legitimate services, making detection considerably harder without behavior-based analytics and advanced threat hunting capabilities.
A similar ClickFix technique was also observed in a separate ransomware attempt using phishing through messaging platforms, suggesting either an expansion of LeakNet’s tactical repertoire or wider adoption of this low-cost, high-scale infection approach by other ransomware threat actors in the cybercriminal ecosystem.
Create a Group Policy Object (GPO) to restrict PsExec execution to authorized administrator accounts only within the enterprise environment. LeakNet ransomware relies heavily on PsExec for lateral movement across compromised networks, and limiting its availability to a small set of authorized users with legitimate administrative needs significantly disrupts the threat actor’s ability to propagate through the network infrastructure and encrypt systems at scale.
Deploy behavioral detection rules to alert on Deno.exe execution outside of designated software development environments. Focus detection efforts on suspicious command-line arguments, particularly base64-encoded data URLs that indicate fileless payload execution, unexpected parent-child process chains such as msiexec spawning PowerShell or VBScript leading to Deno execution, and outbound network connections from Deno processes to unrecognized infrastructure or IP addresses not associated with legitimate Deno package repositories.
Create endpoint detection rules specifically targeting jli.dll being loaded from C:\ProgramData\USOShared or other non-standard directories outside legitimate Java installation paths. A legitimate Java process loading the jli.dll library from a Windows Update-associated directory like USOShared is anomalous behavior that should trigger an immediate alert for security investigation, as this represents the core persistence mechanism employed by LeakNet ransomware.
Alert on the execution of “cmd.exe /c klist” commands on user endpoints, as this built-in Windows command is used by LeakNet to enumerate active Kerberos authentication credentials prior to lateral movement operations. While klist has legitimate uses in enterprise troubleshooting scenarios, its execution in combination with other post-exploitation indicators such as unusual network connections or PsExec activity should be investigated immediately as potential ransomware reconnaissance.
Implement network monitoring to detect unexpected outbound connections to Amazon S3 bucket URLs from systems that do not have a legitimate business need for cloud storage access. LeakNet ransomware uses Amazon S3 infrastructure for payload staging and data exfiltration operations, leveraging the appearance of normal cloud traffic to evade detection. Organizations should maintain allowlists of approved S3 buckets and alert on connections to unknown or newly registered S3 resources from critical systems.
The threat advisory includes comprehensive indicators of compromise associated with LeakNet ransomware operations, including malicious command-and-control domains, IPv4 addresses of attacker infrastructure, file paths used for DLL sideloading persistence in C:\ProgramData\USOShared\jli.dll, filenames associated with PowerShell and VBScript components following Romeo and Juliet naming conventions, malicious URLs used for command-and-control communications, Amazon S3 bucket URLs used for payload staging and data exfiltration, and the TOR onion address for the LeakNet data leak site. Organizations should integrate these indicators into their security monitoring systems, endpoint detection platforms, and network security devices to identify potential LeakNet activity. Additionally, the advisory references multiple compromised legitimate websites across Switzerland, Austria, Belgium, United States, Dominican Republic, Cyprus, and other regions where ClickFix lures have been deployed.
The LeakNet ransomware campaign employs multiple tactics and techniques mapped to the MITRE ATT&CK framework, including initial access through drive-by compromise when victims visit compromised legitimate websites, execution via user execution of malicious copy-and-paste commands through ClickFix alongside command and scripting interpreters including JavaScript, PowerShell, and Visual Basic, defense evasion through system binary proxy execution using Msiexec, hijacking execution flow through DLL sideloading, and reflective code loading to execute fileless in-memory payloads, discovery through account enumeration to identify lateral movement targets, lateral movement using remote services over SMB and Windows Admin Shares leveraging PsExec, command and control using application layer protocols over web protocols with bidirectional communication through web services, exfiltration over web service with specific exfiltration to cloud storage using Amazon S3, collection through archiving collected data before exfiltration, and impact through data encrypted for ransom demanding payment for decryption keys.
The threat advisory references authoritative security research from ReliaQuest documenting LeakNet’s scaling threat through ClickFix social engineering and Deno-based loaders. The advisory also includes references to multiple compromised legitimate websites across various industries and geographic regions where ClickFix lures have been deployed, demonstrating the widespread nature of this low-cost, high-scale infection strategy. These references provide additional technical depth and real-world examples for security teams investigating LeakNet activity or implementing defensive measures against ClickFix-based ransomware campaigns.
Get through updates and upcoming events, and more directly in your inbox